SlideShare a Scribd company logo
All Rights Reserved | Page 1
All Rights Reserved | Page 2
Presenters
Hardeep Mehrotara
Manager of IT Security DevSecOps
Coast Capital Federal Credit Union
Director, Security and Privacy Risk
RSM Canada
Seyed Hejazi
All Rights Reserved | Page 3
Presentation agenda
1. What is happening in the wild?
⁻ Notable events
⁻ Demystifying SolarWinds attack
2. Growing attack trends in the Financial Industry
⁻ Attack types
⁻ Attack sophistication
3. Cybersecurity in the pandemic era
4. Where to start
⁻ A tiered approach
⁻ Board’s role
⁻ What to ask
All Rights Reserved | Page 4
All Rights Reserved | Page 4
WHAT IS HAPPENING
IN THE WILD?
Cyber through statistics
All Rights Reserved | Page 5
Statistics on the state of cybersecurity and incidents
of workload will be processed by
cloud data centers in 2021
94%
of Global Office Workers Want to
Continue Working from Home
post-COVID-19
76%
98%
of claims ($589M in total) from Small
to Medium Enterprises (SMEs) with
less than $2 billion in annual revenue
of global IT leaders delayed security
priorities when the world stayed at
home
93%
Tanium
RSM / NetDiligence CISCO
Global Workplace Analytics
!
18% of middle market C-suite
executives claimed that their company
experienced a data breach last year
2000% increase in attacks targeting
industrial control systems (ICS) and
operational technology since 2018
23% of middle market executives
claimed a ransomware attack or demand
during the past 12 months
All Rights Reserved | Page 6
Notable events
SolarWinds Supply Chain Attack Microsoft Exchange
Vulnerability
Colonial Pipeline Ransomware
Attack
US Executive Order on
Improving the Nation’s
Cybersecurity
All Rights Reserved | Page 7
Demystifying the SolarWinds attack - Overview
What happened?
SolarWinds is a software that monitors the status
and health of IT systems. Threat actors created a
backdoor into the SolarWinds Orion software. Not all
versions of the software were impacted; however,
those that were impacted have the potential to
expose an environment to the threat actor.
Who is impacted?
More than 18,000 SolarWinds customers
downloaded the affected versions of SolarWinds
Orion software. Early reports stated that victims
were primarily state and federal governments;
according to Microsoft, 40+ victims as of December
18, 2020.
• CrowdStrike
• Fidelis
• FireEye
• Malwarebytes
• Palo Alto Networks
• Qualys
• Mimecast
• Microsoft
All Rights Reserved | Page 8
Demystifying the SolarWinds attack – Have I been compromised?
8
All Rights Reserved | Page 9
All Rights Reserved | Page 9
GROWING ATTACK
TRENDS IN THE
FINANCIAL INDUSTRY
All Rights Reserved | Page 10
Attacks in the Financial Industry – Attack types
10
Ransomware as
a Service
Ransom-based
DDoS attacks
Remote
infrastructure
attacks
Supply chain
attacks
All Rights Reserved | Page 11
Attacks are growing in sophistication
11
Targeting both Windows and
Linux environments
Encrypting files using strong
encryption
Access to malware admin
panels via TOR to manage
builds, payments,
documentation and maintain
anonymity
Automated test decryption from
the process from encryption to
withdraw of money.
DDoS options Layer 3 and
Layer 7
A partner to provide network
access or a person or team with
pen testing skills.
All Rights Reserved | Page 12
All Rights Reserved | Page 12
CYBERSECURITY IN
THE PANDEMIC ERA
All Rights Reserved | Page 13
Recent trends
13
The effects of a divided
workforce, now only
connected via technology,
allows potential attacks to
exploit the trust of employees
and flaws in technology to
gain access to company
resources.
The COVID-19 pandemic has
increased the complexity of
cybersecurity challenges for
the middle market due to
reliance on less secure
networks (e.g. home offices)
to remain productive, as well
as increased reliance of third-
parties.
Adversaries are unleashing a
variety of attacks that only
larger organizations may be
equipped to identify and
defend against.
Ransomware attacks Attacks against healthcare
providers
Abuse of unsecure remote
working infrastructure and
culture
All Rights Reserved | Page 14
Recent trends – Pandemic related attacks
14
Phishing Process Technical Regulatory
All Rights Reserved | Page 15
What has changed with remote workforce?
15
Where is our data being stored? On cloud services?
Employees’ personal computers? Mobile devices?
How is our data being transmitted?
Are there any weaknesses that could allow attackers to
compromise our employees’ remote networks or
personal systems, potentially granting VPN access to
the internal network?
Have our business processes been updated to account
for remote operations (e.g., accounts
payable/receivable, payroll, use of devices, etc.)
All Rights Reserved | Page 16
All Rights Reserved | Page 16
WHERE TO START
All Rights Reserved | Page 17
A tiered approach to improving security posture
17
Basic cyber
hygiene; e.g. top 5
critical controls
from CIS
Gap assessment,
and roadmap
Closing the gaps
and implementing
continuous
improvement
1
2
3
All Rights Reserved | Page 18
Board oversight principles
18
- NACD: Cyber-Risk Oversight 2020
Cyber
Risk
Oversight
Cybersecurity as a Strategic Risk
Directors need to understand and approach cybersecurity as a strategic, enterprise risk—not just as
an IT risk.
Legal and Disclosure Implications
Directors should understand the legal implications of cyber risks as they relate to their company’s
specific circumstances.
Board Oversight Structure and Access to Expertise
Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk
management should be given regular and adequate time on board meeting agendas.
An Enterprise Framework for Managing Cyber Risk
Directors should set the expectation that management will establish an enterprise-wide, cyber-risk
management framework with adequate staffing and budget.
Cybersecurity Measurement and Reporting
Board-management discussions about cyber risk should include identification and quantification of
financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through
insurance, as well as specific plans associated with each approach.
All Rights Reserved | Page 19
What to ask from owners of cybersecurity / risk function
19
? What is the trend in our cybersecurity incidents?
?
?
What do we need to know about our next partner, acquisition
target, or product line? Are you able to help us answer those
questions?
?
? How to you plan to engage and inform the Board in case of a
major cybersecurity incident?
?
?
How do you explain the changes in your report compared to
the previous round? ?
If you are approved for 20% additional budget, what is the
first thing you will spend that money on?
Board members can ask the following questions from the individuals owning the cybersecurity function – if there is no such role, create one!
Do we have cyber insurance? Are we comfortable with its
coverage?
Are we facing any limitations that prevent us to secure our
remote workforce? What are the limitations?
How do we ensure that our Managed (Security) Service
Provider is effectively monitoring for and detecting threats
against our assets?
All Rights Reserved | Page 20
All Rights Reserved | Page 20

More Related Content

What's hot

Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 

What's hot (20)

ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
 
How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
The CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedThe CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the Unexpected
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
A Smarter, More Secure Internet of Things
A Smarter, More Secure Internet of Things A Smarter, More Secure Internet of Things
A Smarter, More Secure Internet of Things
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
 

Similar to Data Privacy, Information Security, and Cybersecurity: What Your Business Needs to Know

Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 

Similar to Data Privacy, Information Security, and Cybersecurity: What Your Business Needs to Know (20)

Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Cybersecurity Landscape for Canadian Business
Cybersecurity Landscape for Canadian BusinessCybersecurity Landscape for Canadian Business
Cybersecurity Landscape for Canadian Business
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey  Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite  defining and understanding risk in the moder...White paper cyber risk appetite  defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Understanding Zero Day Recovery - Your last defence against ransomware attacks
Understanding Zero Day Recovery - Your last defence against ransomware attacksUnderstanding Zero Day Recovery - Your last defence against ransomware attacks
Understanding Zero Day Recovery - Your last defence against ransomware attacks
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cyber threat forecast 2018..
Cyber threat forecast 2018..Cyber threat forecast 2018..
Cyber threat forecast 2018..
 
Matt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptxMatt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptx
 
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
 
Cybersecurity Threats in Financial Services Protection.pptx
Cybersecurity Threats in  Financial Services Protection.pptxCybersecurity Threats in  Financial Services Protection.pptx
Cybersecurity Threats in Financial Services Protection.pptx
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Understanding Cyber Security Risks in Asia
Understanding Cyber Security Risks in AsiaUnderstanding Cyber Security Risks in Asia
Understanding Cyber Security Risks in Asia
 
Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 

More from PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 

More from PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Recently uploaded

Industrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportIndustrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training Report
Avinash Rai
 
IATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdffIATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdff
17thcssbs2
 

Recently uploaded (20)

Industrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportIndustrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training Report
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online Presentation[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online Presentation
 
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdfTelling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
 
size separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceuticssize separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceutics
 
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
 
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p  - Dr. Abdulfatah A. SalemOperations Management - Book1.p  - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
 
Morse OER Some Benefits and Challenges.pptx
Morse OER Some Benefits and Challenges.pptxMorse OER Some Benefits and Challenges.pptx
Morse OER Some Benefits and Challenges.pptx
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
 
IATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdffIATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdff
 
Gyanartha SciBizTech Quiz slideshare.pptx
Gyanartha SciBizTech Quiz slideshare.pptxGyanartha SciBizTech Quiz slideshare.pptx
Gyanartha SciBizTech Quiz slideshare.pptx
 
Application of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matricesApplication of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matrices
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
Basic Civil Engg Notes_Chapter-6_Environment Pollution & Engineering
Basic Civil Engg Notes_Chapter-6_Environment Pollution & EngineeringBasic Civil Engg Notes_Chapter-6_Environment Pollution & Engineering
Basic Civil Engg Notes_Chapter-6_Environment Pollution & Engineering
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
 
How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17
 
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
 

Data Privacy, Information Security, and Cybersecurity: What Your Business Needs to Know

  • 2. All Rights Reserved | Page 2 Presenters Hardeep Mehrotara Manager of IT Security DevSecOps Coast Capital Federal Credit Union Director, Security and Privacy Risk RSM Canada Seyed Hejazi
  • 3. All Rights Reserved | Page 3 Presentation agenda 1. What is happening in the wild? ⁻ Notable events ⁻ Demystifying SolarWinds attack 2. Growing attack trends in the Financial Industry ⁻ Attack types ⁻ Attack sophistication 3. Cybersecurity in the pandemic era 4. Where to start ⁻ A tiered approach ⁻ Board’s role ⁻ What to ask
  • 4. All Rights Reserved | Page 4 All Rights Reserved | Page 4 WHAT IS HAPPENING IN THE WILD? Cyber through statistics
  • 5. All Rights Reserved | Page 5 Statistics on the state of cybersecurity and incidents of workload will be processed by cloud data centers in 2021 94% of Global Office Workers Want to Continue Working from Home post-COVID-19 76% 98% of claims ($589M in total) from Small to Medium Enterprises (SMEs) with less than $2 billion in annual revenue of global IT leaders delayed security priorities when the world stayed at home 93% Tanium RSM / NetDiligence CISCO Global Workplace Analytics ! 18% of middle market C-suite executives claimed that their company experienced a data breach last year 2000% increase in attacks targeting industrial control systems (ICS) and operational technology since 2018 23% of middle market executives claimed a ransomware attack or demand during the past 12 months
  • 6. All Rights Reserved | Page 6 Notable events SolarWinds Supply Chain Attack Microsoft Exchange Vulnerability Colonial Pipeline Ransomware Attack US Executive Order on Improving the Nation’s Cybersecurity
  • 7. All Rights Reserved | Page 7 Demystifying the SolarWinds attack - Overview What happened? SolarWinds is a software that monitors the status and health of IT systems. Threat actors created a backdoor into the SolarWinds Orion software. Not all versions of the software were impacted; however, those that were impacted have the potential to expose an environment to the threat actor. Who is impacted? More than 18,000 SolarWinds customers downloaded the affected versions of SolarWinds Orion software. Early reports stated that victims were primarily state and federal governments; according to Microsoft, 40+ victims as of December 18, 2020. • CrowdStrike • Fidelis • FireEye • Malwarebytes • Palo Alto Networks • Qualys • Mimecast • Microsoft
  • 8. All Rights Reserved | Page 8 Demystifying the SolarWinds attack – Have I been compromised? 8
  • 9. All Rights Reserved | Page 9 All Rights Reserved | Page 9 GROWING ATTACK TRENDS IN THE FINANCIAL INDUSTRY
  • 10. All Rights Reserved | Page 10 Attacks in the Financial Industry – Attack types 10 Ransomware as a Service Ransom-based DDoS attacks Remote infrastructure attacks Supply chain attacks
  • 11. All Rights Reserved | Page 11 Attacks are growing in sophistication 11 Targeting both Windows and Linux environments Encrypting files using strong encryption Access to malware admin panels via TOR to manage builds, payments, documentation and maintain anonymity Automated test decryption from the process from encryption to withdraw of money. DDoS options Layer 3 and Layer 7 A partner to provide network access or a person or team with pen testing skills.
  • 12. All Rights Reserved | Page 12 All Rights Reserved | Page 12 CYBERSECURITY IN THE PANDEMIC ERA
  • 13. All Rights Reserved | Page 13 Recent trends 13 The effects of a divided workforce, now only connected via technology, allows potential attacks to exploit the trust of employees and flaws in technology to gain access to company resources. The COVID-19 pandemic has increased the complexity of cybersecurity challenges for the middle market due to reliance on less secure networks (e.g. home offices) to remain productive, as well as increased reliance of third- parties. Adversaries are unleashing a variety of attacks that only larger organizations may be equipped to identify and defend against. Ransomware attacks Attacks against healthcare providers Abuse of unsecure remote working infrastructure and culture
  • 14. All Rights Reserved | Page 14 Recent trends – Pandemic related attacks 14 Phishing Process Technical Regulatory
  • 15. All Rights Reserved | Page 15 What has changed with remote workforce? 15 Where is our data being stored? On cloud services? Employees’ personal computers? Mobile devices? How is our data being transmitted? Are there any weaknesses that could allow attackers to compromise our employees’ remote networks or personal systems, potentially granting VPN access to the internal network? Have our business processes been updated to account for remote operations (e.g., accounts payable/receivable, payroll, use of devices, etc.)
  • 16. All Rights Reserved | Page 16 All Rights Reserved | Page 16 WHERE TO START
  • 17. All Rights Reserved | Page 17 A tiered approach to improving security posture 17 Basic cyber hygiene; e.g. top 5 critical controls from CIS Gap assessment, and roadmap Closing the gaps and implementing continuous improvement 1 2 3
  • 18. All Rights Reserved | Page 18 Board oversight principles 18 - NACD: Cyber-Risk Oversight 2020 Cyber Risk Oversight Cybersecurity as a Strategic Risk Directors need to understand and approach cybersecurity as a strategic, enterprise risk—not just as an IT risk. Legal and Disclosure Implications Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances. Board Oversight Structure and Access to Expertise Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas. An Enterprise Framework for Managing Cyber Risk Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget. Cybersecurity Measurement and Reporting Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.
  • 19. All Rights Reserved | Page 19 What to ask from owners of cybersecurity / risk function 19 ? What is the trend in our cybersecurity incidents? ? ? What do we need to know about our next partner, acquisition target, or product line? Are you able to help us answer those questions? ? ? How to you plan to engage and inform the Board in case of a major cybersecurity incident? ? ? How do you explain the changes in your report compared to the previous round? ? If you are approved for 20% additional budget, what is the first thing you will spend that money on? Board members can ask the following questions from the individuals owning the cybersecurity function – if there is no such role, create one! Do we have cyber insurance? Are we comfortable with its coverage? Are we facing any limitations that prevent us to secure our remote workforce? What are the limitations? How do we ensure that our Managed (Security) Service Provider is effectively monitoring for and detecting threats against our assets?
  • 20. All Rights Reserved | Page 20 All Rights Reserved | Page 20